Giter Site home page Giter Site logo

delphihookutils's Introduction

DelphiHookUtils

Delphi API Hook 工具项目

LOGO

由来

国庆帝都雾霾,一直闷家里发霉,也终于有时间搞搞自己的东东了!

年初基于 wr960204 武稀松大哥的 HookUtils 写了个 x64 的东东,效果很 8 错,不过呢,这个实现基于 BeaEngine 的静态库,额外胖了几百 K,对于我这只有“洁癖”的程序员,着实不爽!

之前关注过 BeaEngine 官网还有个 LDE64(Length Disassembler Engine)的东东,事实上对于武大哥那份 Hook 的实现,BeaEngine 只是为了查找足够的“代码间隙”,其实单个 LDE 应该是 ok 的!

遂,花了两天时间搞了这个东东:

https://github.com/delphilite/DelphiHookUtils

实现

基于 LDE64 相对 BeaEngine 的优势非常明显,新 HookUtils 代码编译大约 10K 左右,相对武大哥“原版”,新版 HookUtils 主要修改:

  1. 参考 wr960204 武稀松 的原始实现: https://code.google.com/p/delphi-hook-library
  2. 修改 BeaEngine 引擎为 LDE64 长度反编译引擎,大幅降低大小 https://github.com/BeaEngine/lde64
  3. 去除原始实现对多线程冻结的处理,通常建议 Hook/Unhook 放到单元初始化、析构中做,否则可能因改写内存没挂起其他线程造成错误
  4. 由 HookUtils 中拆分 COM 相关函数至 HookIntfs 单元

其他

初步 Delphi 2007-11, Lazarus/Typhon/FPC/FMX x86/x64 for Win 一切正常,大家有问题及时反馈 !?

delphihookutils's People

Contributors

delphilite avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

yuchueh layeka badboy3000 dollavon zacat jfhyn dongsir viders templeblock thecocce progray parhelia512 huangchao209 azzahrah zzming gzwplato sunfuhong idone yahohao huffery killghost hwhohwh heimo88 5bug erpman anomous jason156 qq481273 amesianx achinastone wwuqingfang limuzi2012 flylink888 wufeng1205 mycopy step855 a200332 fengjixuchui vanleo2001 netangel2050 ziyouchutuwenwu cyqtest robinson2006 lqli loop80 frankwu-delphi wwq0071 ajunlonglive yaoguen dhunteroy githubtag luwei0711

delphihookutils's Issues

纠正一处HOOK GetTickCount64在X64下有问题的用法

http://bbs.2ccc.com/topic.asp?topicid=617767

X64之所以有问题是因为代码写法有问题,HOOK的导入表的跳转代理函数

你把
HookProc(@Winapi.Windows.GetTickCount64, @GetTickCount64CallBack, @GetTickCount64Next);
改成
HookProc('kernel32.dll','GetTickCount64', @GetTickCount64CallBack, @GetTickCount64Next);
就可以了。

第一种写法如果函数是Delphi实现的没问题,但是你这个是钩的导入表的跳转函数。
第二种写法是钩的kernel32.dll中函数的本体

你好.看了你的DelphiHookUtils.我有一些想法希望一起看看

你好.,我自己写有一个HOOK类.我想在你的HOOK类基础上进行升级.比如改装成一个类.管理多个HOOK点.
通过匹配特征码进行HOOK.对某处JMP并设置回调函数,基于页面异常的HOOK等.我的QQ3570142.
下面是我的HOOK一部分类接口.

Type
THOOK_InLink = Class

Private
{ Private declarations }

Var

/// <summary>
/// 原始函数地址
/// </summary>
FOriFunAddress :Pointer;

/// <summary>
/// 新函数地址
/// </summary>
FNewFunAddress :Pointer;

/// <summary>
/// 原始函数代码
/// </summary>
FOriFunCode :TBytes;

/// <summary>
/// 原始函数ASM
/// </summary>
FOriFunASM :TStringList;

/// <summary>
/// 原始函数带JMP代码(全局中转处)
/// </summary>
FOriFunJMPCode :TBytes;

/// <summary>
/// 原始函数带JMP代码地址
/// </summary>
FOriFunJMPPointer :Pointer;

/// <summary>
/// 保存修改处的JMP汇编代码
/// </summary>
FCheckJMPCode : Array [ 0 .. 4 ] Of Byte;

/// <summary>
/// 保存原始汇编字节的大小
/// </summary>
FOriCodeSize :NativeInt;

/// <summary>
/// 模块名称
/// </summary>
FModuleName :String;

/// <summary>
/// 函数名称
/// </summary>
FFunctionName :String;

/// <summary>
/// 是否挂起其他线程
/// </summary>
FSuspendThread :Boolean;

/// <summary>HOOKCode</summary>
/// <param name="Callback  (Pointer)">回调函数</param>
/// <param name="OriCodeStr  (String)">原始汇编代码</param>
/// <param name="PuddingEncoding  (String)">补丁机器码</param>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Hook_Code ( ) :Boolean; Overload;
Function Hook_Code ( Callback :Pointer; OriCodeStr :String; PuddingEncoding :String ) :Boolean; Overload;

Public
{ Public declarations }
Constructor Create ( ); Overload; // 构造方法
Destructor Destroy; Override; // 析构方法

Property OriFunAddress :Pointer Read FOriFunAddress Write FOriFunAddress;
Property NewFunAddress :Pointer Read FNewFunAddress Write FNewFunAddress;
Property OriFunCode :TBytes Read FOriFunCode Write FOriFunCode;
Property OriFunASM :TStringList Read FOriFunASM Write FOriFunASM;
Property OriFunJMPCode :TBytes Read FOriFunJMPCode Write FOriFunJMPCode;
Property OriFunJMPPointer :Pointer Read FOriFunJMPPointer Write FOriFunJMPPointer;
Property OriCodeSize :NativeInt Read FOriCodeSize Write FOriCodeSize;
Property ModuleName :String Read FModuleName Write FModuleName;
Property FunctionName :String Read FFunctionName Write FFunctionName;
Property SuspendThread :Boolean Read FSuspendThread Write FSuspendThread;

{ -----------------------------------------------------------------------------------------> API HOOK }
/// <summary>HOOK API 头5字节</summary>
/// <param name="Module_Name  (String)">模块名称</param>
/// <param name="Function_Name  (String)">函数名称</param>
/// <param name="New_Function_Address  (Pointer)">新函数地址</param>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Hook_API ( Module_Name :String; Function_Name :String; New_Function_Address :Pointer ) :Boolean;

{ -----------------------------------------------------------------------------------------> HOOK 指定地址 }
/// <summary>HOOK 指定地址</summary>
/// <param name="Module_Name  (String)">模块名称</param>
/// <param name="Address_Office  (NativeInt)">相对模块的偏移(匹配处)</param>
/// <param name="New_Function_Address  (Pointer)">新函数地址</param>
/// <param name="HOOKOffice  (NativeInt)">匹配处HOOK位置偏移</param>
/// <param name="FeatureStr  (String)">特征码</param>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Hook_Address ( Module_Name :String; Address_Office :NativeInt; New_Function_Address :Pointer; HOOKOffice :NativeInt; FeatureStr :String ) :Boolean;

{ -----------------------------------------------------------------------------------------> 打补丁 指定地址 }
/// <summary>对指定地址打补丁</summary>
/// <param name="Module_Name  (String)">模块名称</param>
/// <param name="Function_Office  (NativeInt)">特征码定位偏移(匹配处)</param>
/// <param name="HOOKOffice  (NativeInt)">匹配处HOOK位置偏移</param>
/// <param name="Callback  (Pointer)">回调函数</param>
/// <param name="PuddingEncoding  (String)">补丁机器码</param>
/// <param name="FeatureStr  (String)">特征码</param>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Hook_JMP ( Module_Name :String; Function_Office :NativeInt; HOOKOffice :NativeInt; Callback :Pointer; PuddingEncoding :String; FeatureStr :String ) :Boolean;

{ -----------------------------------------------------------------------------------------> 打补丁 指定地址 }
/// <summary>对指定地址打补丁</summary>
/// <param name="HOOKAddress  (NativeInt)">HOOK地址</param>
/// <param name="OriCodeStr  (String)">原始汇编代码</param>
/// <param name="Callback  (Pointer)">回调函数</param>
/// <param name="PuddingEncoding  (String)">补丁机器码</param>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Hook_JMPAdd ( HOOKAddress :NativeInt; OriCodeStr :String; Callback :Pointer; PuddingEncoding :String ) :Boolean;

{ -----------------------------------------------------------------------------------------> 卸载 HOOK }
/// <summary>卸载 HOOK</summary>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Unload_Hook ( ) :Boolean;

{ -----------------------------------------------------------------------------------------> 检查 HOOK }
/// <summary>检查 HOOK</summary>
/// <returns>返回值:成功=TRUE 失败=FALSE</returns>
Function Check_Hook ( ) :Boolean;

End;

如何才能更方便获取某一接口方法的地址呢?

以下方法为获取某一接口方法的地址,如何修改才能通过传入字符串“SetFileName”来获取IFileDialog.SetFileName的地址呢?期望哪位大神告知,谢谢![email protected]
function GetMethodPointer(const IntRef{IFileDialog}: IInterface): Pointer; assembler;
{$IFDEF Win64}
asm
mov rax, [IntRef]
add rax, vmtoffset IFileDialog.SetFileName
mov rax, [rax]
end;
{$ELSE}
asm
mov eax, [IntRef]
add eax, vmtoffset IFileDialog.SetFileName
mov eax, [eax]
end;
{$ENDIF}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.